malwarewikiaorg-20200223-history
CryptXXX
CryptXXX, also known as UltraCrypter, Google Decryptor or Microsoft Decryptor, is a Windows ransomware infection that affects all versions of Windows, including Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10. It was discovered by Kafeine. It is aimed at English-speaking users. When a victim is infected they will have their files encrypted and then a ransom of about 2.4 bitcoins, or approximately $1,000 USD, will be demanded in order to receive the decryption key. It has the same layout as CryptoWall. Based on Kafeine's analysis, Proofpoint determined that CryptXXX is affiliated with the developers of the Angler Exploit Kit as well as the Reveton family. On April 15th, 2016, Proofpoint researchers noticed that the Bedep downloader downloads the Angler exploit kit and the Dridex trojan. On April 25th, 2016, Kaspersky released a free decryptor for this ransomware. On May 9th, 2016, CryptXXX was updated to 2.0. On May 13th of the same year, Kaspersky updated the decryptor. On May 21st, 2016, CryptXXX was once again updated to 3.0. It was done in order to stop Kaspersky's RannohDecryptor from decrypting files for free. The update also broke CryptXXX's own decryptor. On May 25th of the same year, the developers updated their decryptor to work on 3.0. On June 1st, 2016, CryptXXX was rebranded to UltraCrypter. It had an issue where the payment system does not recognize ransom payments. The developers then added a Helpdesk tab to the UltraDeCrypter payment site. This tab contains a form that a victim can use to contact the payment server operators in the event of a problem. On June 21st, 2016, it changed the extension to a random one consisting of 5 hexadecimal characters. On July 7th, 2016, CryptXXX's name was changed to Microsoft Decryptor. On July 14th, 2016, the developers released free keys for 2 variants of the ransomware. It is unknown why the payment servers were providing free keys for this variant. On July 19th, 2016, a variant of the ransomware was discovered scrambling the names of encrypted files. On December 20th, 2016, Kaspersky updated their decryptor to decrypt CryptXXX encrypted files that have the .crypt, .cryp1, and .crypz extension. Payload Transmission A user is typically infected by CryptXXX through Exploit Kits and Trojan Downloaders such as Bedep. These exploit kits can be located on hacked sites or through malvertising. Infection When CryptXXX infects the user's computer it will scan all the drive letters for targeted file types, encrypt them, and then append the .crypt extension to them. Once these files are encrypted, they will no longer able to be opened by your normal programs. When CryptXXX has finished encrypting the victim's files, it will change the desktop wallpaper to an image that acts like a ransom note. It will also display a HTML ransom note in the user's default browser. The extensions targeted by CryptXXX are: .3DM, .3DS, .3G2, .3GP, .7Z, .ACCDB, .AES, .AI, .AIF, .APK, .APP, .ARC, .ASC, .ASF, .ASM, .ASP, .ASPX, ASX, .AVI, .BMP, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .CLASS, .CMD, .CPP, .CRT, Â .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DDS, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FLV, .FRM, .GADGET, .GBK, .GBR, .GED, .GIF, .GPG, .GPX, .GZ, .H, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .IFF, .INDD, .JAR, .JAVA, .JKS, .JPG, .JS,Â .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .M3U, .M4A, .M4V, .MAX, .MDB, .MDF, .MFD, .MID, .MKV, .MML, .MOV, .MP3, .MP4, .MPA, .MPG, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .PNG, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV,Â .PRIVAT, .PS, PSD, .PSPIMAGE, .PY, .QCOW2, .RA, .RAR, .RAW, .RM, .RSS, .RTF, .SCH, .SDF, .SH, .SITX,Â .SLDX, .SLK, .SLN, .SQL, .SQLITE, .SQLITE, .SRT, .STC, .STD, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI,Â Â .SXM, .SXW, .TAR, .TBK, .TEX, .TGA, .TGZ, .THM, .TIF, .TIFF, .TLB, .TMP, .TXT,Â .UOP, .UOT, .VB, .VBS,Â .VCF, .VCXPRO, .VDI, .VMDK, .VMX,Â .VOB, .WAV, .WKS,Â .WMA, .WMV, .WPD,Â .WPS,Â .WSF,Â .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT,Â .XLTM, .XLTX, .XLW,Â .XML,Â .YUV,.ZIP,Â .ZIPX When a file is encrypted it will have the .crypt extension appended to the normal file name. For example, a file named accounting.doc, will be renamed to accounting.doc.crypt. While the computer's data is being encrypted, it will create ransom notes in every folder that a file was encrypted, in the C:\ProgramData folder, and on the Windows desktop. The victim_id is a unique string associated with the user's computer that identifies the user in the malware developer's payment system. An example of the !Recovery_victim_id.txt ransom note is: @@@@@@@ NOT YOUR LANGUAGE? USE https://translate.google.com @@@@@@@ What happened to your files ? @@@@@@@ All of your files were protected by a strong encryption with RZA4096 @@@@@@@ More information about the en-Xryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) @@@@@@@ How did this happen ? @@@@@@@ !!! Specially for your PC was generated personal RZA4096 Key , both publik and private. @@@@@@@ !!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to your computer via the Internet. @@@@@@@ !!! Decrypting of your files is only possible with the help of the privatt key and de-crypt program , which is on our Secret Server @@@@@@@ What do I do ? @@@@@@@ So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way @@@@@@@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment Your personal ID: xxxxxxxxxxxxxxxx For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1 - http://2zqnpdpslpnsqzbw.onion.to 2 - http://2zqnpdpslpnsqzbw.onion.cab 3 - http://2zqnpdpslpnsqzbw.onion.city If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2 - After a successful installation, run the browser 3 - Type in the address bar - http://2zqnpdpslpnsqzbw.onion 4 - Follow the instructions on the site Be sure to copy your personal ID and the instruction link to your notepad not to lose them. Removal Kaspersky made a free decryptor for CryptXXX called RannohDecryptor. It will try to determine the decryption key in a encrypted file. If it is unable to do so, a victim will need to input into the program the same file in its encrypted and unencrypted format. Using this file pair, the decryptor can then determine the decryption key used by all of the encrypted files. The decryptor will only be able to decrypt files that are smaller than the files that derived the key from. To start the decryption process, simply download and execute the file. When the program starts, it will ask to select a encrypted file. Once a file is selected, it will try to determine the decryption key. It most likely will not be able to do so and will be prompt to select a pair of the same file that are encrypted and unencrypted. Select an encrypted file from the C:\Users\Public\Pictures\Sample Pictures and it will then ask to select an unencrypted version of the same file. Simply download the corresponding unencrypted image from here and select it. The decryptor should then be able to determine the decryption key and start decrypting the files. When it has finished decrypting the files, close the decryption program and remove it from the computer. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan